IDS mailing list archives
Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
From: Magnus Almgren <almgren () ce chalmers se>
Date: Tue, 3 Jun 2003 08:47:31 +0200 (MEST)
could be beaten by flooding a network with "anomalous" trafficRather naive. If you have a product that does not "adapt", this is obviously not a problem (i.e., you deploy it, you train it, then you "lock" it). Letting an algorithm learn by itself and still not get fooled by a semantic drift (this it one of the current names for the effect you described) is not an easy task [...]
There is a recent interesting paper about anomaly detection systems. The authors discuss two different methods to avoid an anomaly detection system. First, you can corrupt the training data so that the detector judge attacks to be accepted behavior. This is non-trivial for the attacker. Second, you can change the attack to not generate events that manifest themselves in an anomalous (thus detectable) way by the detector. This is the approach they have followed in this paper. They have taken a research prototype and demonstrated how they can change previously detected attacks to become invisible to the detector. It is a good article, and I recommend it. Tan, Kymie M. C.; Killourhy, Kevin S. and Maxion, Roy A. "Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits." In Fifth International Symposium on Recent Advances in Intrusion Detection (RAID-2002), Andreas Wespi, Giovanni Vigna and Luca Deri (Eds.), 16-18 October 2002, Zurich, Switzerland, pp. 54-73. Lecture Notes in Computer Science #2516, Springer-Verlag, Berlin, 2002. If you have access to Springer, you can find the article at http://search.springer.de/link-cgi/view-hd.pl?/search97cgi/s97_cgi?action=view&queryZIP=%28%22Maxion%22%29&vdkVgwKey=%2Fglobal%2Fdata%2Fverity%2Flink%2Fabstracts%2Fjour%2Fseries%2F0558%2Fbibs%2F2516%2F25160054.htm&strURL=http://link.springer.de/link/service/series/0558/papers/2516/25160054.pdf&strXML=http://search.springer.de:80/search97cgi/s97_cgi?action=view&collection=springer02&doctype=xml&vdkVgwKey=%2Fjour%2Fseries%2F0558%2Fpapers%2F2516%2F25160054.pdf&queryZIP=%28%22Maxion%22%29 Cheers, Magnus ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Stefano Zanero (Jun 02)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Roger A. Grimes (Jun 07)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Roger A. Grimes (Jun 07)
- <Possible follow-ups>
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Stefano Zanero (Jun 02)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Magnus Almgren (Jun 03)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (Jun 03)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Steven Rudolph (Jun 12)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 13)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Bill Royds (Jun 13)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] oudot laurent (Jun 17)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Devdas Bhagat (Jun 14)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Anton A. Chuvakin (Jun 17)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)